P
US9942224B2ActiveUtilityPatentIndex 72

Management and authentication in hosted directory service

Assignee: AMAZON TECH INCPriority: Sep 29, 2014Filed: Mar 10, 2017Granted: Apr 10, 2018
Est. expirySep 29, 2034(~8.2 yrs left)· nominal 20-yr term from priority
Inventors:MEHTA GAURANG PANKAJAGRAWAL NEELAM SATISHAUNG LAWRENCE HUN-GIRAO GURUPRAKASH BANGALOREWANG SHUOPALANDE SAMEERRAI KRITHIPANDYA CHIRAG PRAVIN
H04L 63/102H04L 63/08H04L 63/083H04L 63/0815G06F 21/6218H04L 63/0853G06F 16/24H04L 63/105H04L 63/0838H04L 63/06H04L 63/0807
72
PatentIndex Score
3
Cited by
35
References
19
Claims

Abstract

A user, group, and device management and authentication system allows administrators to manage one or more directories with devices that are not associated with a domain of the one or more directories via a set of APIs. The system also allows applications and services that do not have direct access to a list of directory users to access the one or more directories. The user, group, and device management and authentication system may be an add-on system that works in conjunction with a centrally-managed directory service to provide such functionality. For example, the system may generate an access token associated with a particular directory that can be used by a service accessed by an administrator to call an API provided by the system. The API call may be translated into a directory-specific API call that can be used to perform an action in the particular directory.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A computer-implemented method of managing one or more directories, the method comprising:
 receiving, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter; 
 determining that the access token is valid; 
 determining, based at least in part on the access token being valid, a directory in a plurality of directories associated with the access token; 
 determining that the access token maps to a directory service token; 
 transmitting the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation; 
 receiving results of the performed operation from the agent; and 
 transmitting the results of the performed operation to the application service. 
 
     
     
       2. The computer-implemented method of  claim 1 , wherein transmitting the directory service token to an agent associated with the determined directory further comprises transmitting the directory service token to the agent associated with the determined directory such that the operation is performed in the determined directory. 
     
     
       3. The computer-implemented method of  claim 1 , wherein the user device is not associated with the determined directory. 
     
     
       4. The computer-implemented method of  claim 1 , wherein determining that the access token is valid further comprises determining that the access token is valid in time and for a managed directory service that the user device is attempting to access. 
     
     
       5. The computer-implemented method of  claim 1 , wherein determining a directory in the plurality of directories associated with the access token comprises querying a directory database that comprises an association between the access token and the directory in the plurality of directories. 
     
     
       6. The computer-implemented method of  claim 1 , wherein the operation comprises adding a user to the determined directory based on the operation-specific parameter. 
     
     
       7. The computer-implemented method of  claim 6 , wherein the agent instructs the determined directory to add the user to the determined directory using the operation-specific parameter. 
     
     
       8. The computer-implemented method of  claim 1 , wherein the operation-specific parameter comprises a password. 
     
     
       9. A system comprising:
 a plurality of computing systems, wherein a computing system hosts a directory in a plurality of directories; and 
 a computing resource service provider system, the computing resource service provider system in communication with the plurality of computing systems, the computer resource service provider system configured with specific executable instructions that, when executed, cause the computing resource service provider system to at least:
 receive, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter; 
 determine that the access token is valid; 
 determine, based at least in part on the access token being valid, a directory in the plurality of directories associated with the access token; 
 determine that the access token maps to a directory service token; 
 transmit the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation; 
 receive results of the performed operation from the agent; and 
 transmit the results of the performed operation to the application service. 
 
 
     
     
       10. The system of  claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least transmit the directory service token to the agent associated with the determined directory such that the operation is performed in the determined directory. 
     
     
       11. The system of  claim 9 , wherein the user device is not associated with the determined directory. 
     
     
       12. The system of  claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least determine that the access token is valid in time and for a managed directory service that the user device is attempting to access. 
     
     
       13. The system of  claim 9 , wherein the specific executable instructions, when executed, further cause the computing resource service provider system to at least query a directory database that comprises an association between the access token and the directory in the plurality of directories. 
     
     
       14. The system of  claim 9 , wherein the operation-specific parameter comprises a password. 
     
     
       15. The system of  claim 9 , wherein the operation comprises adding a user to the determined directory based on the operation-specific parameter. 
     
     
       16. A non-transitory computer storage system comprising a non-transitory storage device, said computer storage system having stored thereon executable program instructions that direct a computer system to at least:
 receive, from an application service in communication with a user device over a network, a call for an operation, wherein the call includes an access token and an operation-specific parameter; 
 determine that the access token is valid; 
 determine, based at least in part on the access token being valid, a directory in the plurality of directories associated with the access token; 
 determine that the access token maps to a directory service token; 
 transmit the directory service token and the operation-specific parameter to an agent associated with the determined directory, wherein receipt of the directory service token and the operation-specific parameter causes the agent to perform the operation; 
 receive results of the performed operation from the agent; and 
 transmit the results of the performed operation to the application service. 
 
     
     
       17. The non-transitory computer storage system of  claim 16 , wherein the executable program instructions further direct the computer system to at least transmit the directory service token to an agent associated with the determined directory such that the operation is performed in the determined directory. 
     
     
       18. The non-transitory computer storage system of  claim 16 , wherein the user device is not associated with the determined directory. 
     
     
       19. The non-transitory computer storage system of  claim 16 , wherein the executable program instructions further direct the computer system to at least determine that the access token is valid in time and for a managed directory service that the user device is attempting to access.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.